QUESTION 17Case Study 1 – Contoso, LtdOverviewContoso, Ltd. is a consulting company that has a main office in Montreal and two branch offices in Seattle and New York.The Montreal office has 2,000 employees. The Seattle office has 1,000 employees. The New York office has 200 employees.All the resources used by Contoso are hosted on-premises.Contoso creates a new Azure subscription. The Azure Active Directory (Azure AD) tenant uses a domain named contoso.onmicrosoft.com. The tenant uses the P1 pricing tier.Existing EnvironmentThe network contains an Active Directory forest named contoso.com. All domain controllers are configured as DNS servers and host the contoso.com DNS zone.Contoso has finance, human resources, sales, research, and information technology departments. Each department has an organizational unit (OU) that contains all the accounts of that respective department. All the user accounts have the department attribute set to their respective department. New users are added frequently.Contoso.com contains a user named User1.All the offices connect by using private links.Contoso has data centers in the Montreal and Seattle offices. Each data center has a firewall that can be configured as a VPN device.All infrastructure servers are virtualized. The virtualization environment contains the servers in the following table.

Contoso uses two web applications named App1 and App2. Each instance on each web application requires 1GB of memory.The Azure suabscription contains the resources in the following table.

The network security team implements several network security groups (NSGs).Planned ChangesContoso plans to implement the following changes:– Deploy Azure ExpressRoute to the Montreal office.– Migrate the virtual machines hosted on Server1 and Server2 to Azure.– Synchronize on-premises Active Directory to Azure Active Directory (Azure AD).– Migrate App1 and App2 to two Azure web apps named WebApp1 and WebApp2.Technical requirementsContoso must meet the following technical requirements:– Ensure that WebApp1 can adjust the number of instances automatically based on the load and can scale up to five instances.– Ensure that VM3 can establish outbound connections over TCP port 8080 to the applications servers in the Montreal office.– Ensure that routing information is exchanged automatically between Azure and the routers in the Montreal office.– Ensure Azure Multi-Factor Authentication (MFA) for the users in the finance department only.– Ensure that webapp2.azurewebsites.net can be accessed by using the name app2.contoso.com– Connect the New York office to VNet1 over the Internet by using an encrypted connection.– Create a workflow to send an email message when the settings of VM4 are modified.– Create a custom Azure role named Role1 that is based on the Reader role.– Minimize costs whenever possible.You need to meet the technical requirement for VM4.What should you create and configure?

Answer: BExplanation:Scenario: Create a workflow to send an email message when the settings of VM4 are modified.You can start an automated logic app workflow when specific events happen in Azure resources or third- party resources. These resources can publish those events to an Azure event grid. In turn, the event grid pushes those events to subscribers that have queues, webhooks, or event hubs as endpoints. As a subscriber, your logic app can wait for those events from the event grid before running automated workflows to perform tasks – without you writing any code.References:https://docs.microsoft.com/en-us/azure/event-grid/monitor-virtual-machine-changes-event-grid-logic-app

QUESTION 18Case Study 1 – Contoso, LtdOverviewContoso, Ltd. is a consulting company that has a main office in Montreal and two branch offices in Seattle and New York.The Montreal office has 2,000 employees. The Seattle office has 1,000 employees. The New York office has 200 employees.All the resources used by Contoso are hosted on-premises.Contoso creates a new Azure subscription. The Azure Active Directory (Azure AD) tenant uses a domain named contoso.onmicrosoft.com. The tenant uses the P1 pricing tier.Existing EnvironmentThe network contains an Active Directory forest named contoso.com. All domain controllers are configured as DNS servers and host the contoso.com DNS zone.Contoso has finance, human resources, sales, research, and information technology departments. Each department has an organizational unit (OU) that contains all the accounts of that respective department. All the user accounts have the department attribute set to their respective department. New users are added frequently.Contoso.com contains a user named User1.All the offices connect by using private links.Contoso has data centers in the Montreal and Seattle offices. Each data center has a firewall that can be configured as a VPN device.All infrastructure servers are virtualized. The virtualization environment contains the servers in the following table.

Contoso uses two web applications named App1 and App2. Each instance on each web application requires 1GB of memory.The Azure subscription contains the resources in the following table.

The network security team implements several network security groups (NSGs).Planned ChangesContoso plans to implement the following changes:– Deploy Azure ExpressRoute to the Montreal office.– Migrate the virtual machines hosted on Server1 and Server2 to Azure. – Synchronize on-premises Active Directory to Azure Active Directory (Azure AD).– Migrate App1 and App2 to two Azure web apps named WebApp1 and WebApp2.Technical requirementsContoso must meet the following technical requirements:– Ensure that WebApp1 can adjust the number of instances automatically based on the load and can scale up to five instances.– Ensure that VM3 can establish outbound connections over TCP port 8080 to the applications servers in the Montreal office.– Ensure that routing information is exchanged automatically between Azure and the routers in the Montreal office.– Ensure Azure Multi-Factor Authentication (MFA) for the users in the finance department only.– Ensure that webapp2.azurewebsites.net can be accessed by using the name app2.contoso.com– Connect the New York office to VNet1 over the Internet by using an encrypted connection.– Create a workflow to send an email message when the settings of VM4 are modified.– Create a custom Azure role named Role1 that is based on the Reader role.– Minimize costs whenever possible.You need to recommend a solution to automate the configuration for the finance department users. The solution must meet the technical requirements.What should you include in the recommendation?

QUESTION 19Case Study 1 – Contoso, LtdOverviewContoso, Ltd. is a consulting company that has a main office in Montreal and two branch offices in Seattle and New York.The Montreal office has 2,000 employees. The Seattle office has 1,000 employees. The New York office has 200 employees.All the resources used by Contoso are hosted on-premises.Contoso creates a new Azure subscription. The Azure Active Directory (Azure AD) tenant uses a domain named contoso.onmicrosoft.com. The tenant uses the P1 pricing tier.Existing EnvironmentThe network contains an Active Directory forest named contoso.com. All domain controllers are configured as DNS servers and host the contoso.com DNS zone.Contoso has finance, human resources, sales, research, and information technology departments. Each department has an organizational unit (OU) that contains all the accounts of that respective department. All the user accounts have the department attribute set to their respective department. New users are added frequently.Contoso.com contains a user named User1.All the offices connect by using private links.Contoso has data centers in the Montreal and Seattle offices. Each data center has a firewall that can be configured as a VPN device.All infrastructure servers are virtualized. The virtualization environment contains the servers in the following table.

Contoso uses two web applications named App1 and App2. Each instance on each web application requires 1GB of memory.The Azure subscription contains the resources in the following table.

The network security team implements several network security groups (NSGs).Planned ChangesContoso plans to implement the following changes:– Deploy Azure ExpressRoute to the Montreal office.– Migrate the virtual machines hosted on Server1 and Server2 to Azure.– Synchronize on-premises Active Directory to Azure Active Directory (Azure AD).– Migrate App1 and App2 to two Azure web apps named WebApp1 and WebApp2.Technical requirementsContoso must meet the following technical requirements:– Ensure that WebApp1 can adjust the number of instances automatically based on the load and can scale up to five instances.– Ensure that VM3 can establish outbound connections over TCP port 8080 to the applications servers in the Montreal office.– Ensure that routing information is exchanged automatically between Azure and the routers in the Montreal office.– Ensure Azure Multi-Factor Authentication (MFA) for the users in the finance department only.– Ensure that webapp2.azurewebsites.net can be accessed by using the name app2.contoso.com– Connect the New York office to VNet1 over the Internet by using an encrypted connection.– Create a workflow to send an email message when the settings of VM4 are modified.– Create a custom Azure role named Role1 that is based on the Reader role.– Minimize costs whenever possible.Hotspot QuestionYou need to prepare the environment to implement the planned changes for Server2.What should you do? To answer, select the appropriate options in the answer area.NOTE: Each correct selection is worth one point.

Answer:

Explanation:Box 1: Create a Recovery Services vaultCreate a Recovery Services vault on the Azure Portal.Box 2: Install the Azure Site Recovery ProviderAzure Site Recovery can be used to manage migration of on-premises machines to Azure.Scenario: Migrate the virtual machines hosted on Server1 and Server2 to Azure.Server2 has the Hyper-V host role.References:https://docs.microsoft.com/en-us/azure/site-recovery/migrate-tutorial-on-premises-azure

QUESTION 20You have an on-premises network that contains a Hyper-V host named Host1. Host1 runs Windows Server 2016 and hosts 10 virtual machines that run Windows Server 2016.You plan to replicate the virtual machines to Azure by using Azure Site Recovery.You create a Recovery Services vault named ASR1 and a Hyper-V site named Site1.You need to add Host1 to ASR1.What should you do?

A. Download the installation file for the Azure Site Recovery Provider.Download the vault registration key.Install the Azure Site Recovery Provider on Host1 and register the server.B. Download the installation file for the Azure Site Recovery Provider.Download the storage account key.Install the Azure Site Recovery Provider on Host1 and register the server.C. Download the installation file for the Azure Site Recovery Provider.Download the vault registration key.Install the Azure Site Recovery Provider on each virtual machine and register the virtual machines.D. Download the installation file for the Azure Site Recovery Provider.Download the storage account key.Install the Azure Site Recovery Provider on each virtual machine and register the virtual machines.

Answer: AExplanation:Download the Vault registration key. You need this when you install the Provider. The key is valid for five days after you generate it.Install the Provider on each VMM server. You don’t need to explicitly install anything on Hyper-V hosts.Incorrect Answers:B, D: Use the Vault Registration Key, not the storage account key.References:https://docs.microsoft.com/en-us/azure/site-recovery/migrate-tutorial-on-premises-azure

QUESTION 21You plan to move services from your on-premises network to Azure.You identify several virtual machines that you believe can be hosted in Azure. The virtual machines are shown in the following table.

Which two virtual machines can you access by using Azure migrate? Each correct answer presents a complete solution.NOTE: Each correct selection is worth one point.

QUESTION 22You have an Azure subscription that contains a virtual network named VNet1. VNet 1 has two subnets named Subnet1 and Subnet2. VNet1 is in the West Europe Azure region.The subscription contains the virtual machines in the following table.

You need to deploy an application gateway named AppGW1 to VNet1.What should you do first?

QUESTION 23You have an Azure virtual network named VNet1 that contains a subnet named Subnet1. Subnet1 contains three Azure virtual machines. Each virtual machine has a public IP address.The virtual machines host several applications that are accessible over port 443 to user on the Internet.Your on-premises network has a site-to-site VPN connection to VNet1.You discover that the virtual machines can be accessed by using the Remote Desktop Protocol (RDP) from the Internet and from the on-premises network.You need to prevent RDP access to the virtual machines from the Internet, unless the RDP connection is established from the on-premises network. The solution must ensure that all the applications can still be accessed by the Internet users.What should you do?

A. Modify the address space of the local network gateway.B. Remove the public IP addresses from the virtual machines.C. Modify the address space of Subnet1.D. Create a deny rule in a network security group (NSG) that is linked to Subnet1.

Answer: DExplanation:You can filter network traffic to and from Azure resources in an Azure virtual network with a network security group. A network security group contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources.References:https://docs.microsoft.com/en-us/azure/virtual-network/security-overview

QUESTION 24You have a public load balancer that balances ports 80 and 443 across three virtual machines.You need to direct all the Remote Desktop Protocol (RDP) connections to VM3 only.What should you configure?

A. an inbound NAT ruleB. a load balancing ruleC. a new public load balancer for VM3D. a frontend IP configuration

QUESTION 25You have an Azure subscription that contains a virtual network named VNet1. VNet1 contains four subnets named Gateway, Perimeter, NVA, and Production.The NVA subnet contains two network virtual appliances (NVAs) that will perform network traffic inspection between the Perimeter subnet and the Production subnet.You need to implement an Azure load balancer for the NVAs. The solution must meet the following requirements:The NVAs must run in an active-active configuration that uses automatic failover. The NVA must load balance traffic to two services on the Production subnet. The services have different IP addressesWhich three actions should you perform? Each correct answer presents part of the solution.NOTE: Each correct selection is worth one point.

QUESTION 26You have five Azure virtual machines that run Windows Server 2016. The virtual machines are configured as web servers.You have an Azure load balancer named LB1 that provides load balancing services for the virtual machines.You need to ensure that visitors are serviced by the same web server for each request.What should you configure?

QUESTION 27You have an Azure subscription that contains a policy-based virtual network gateway named GW1 and a virtual network named VNet1.You need to ensure that you can configure a point-to-site connection from VNet1 to an on-premises computer.Which two actions should you perform? Each correct answer presents part of the solution.NOTE: Each correct selection is worth one point.

A. Reset GW1.B. Add a service endpoint to VNet1.C. Add a connection to GW1.D. Add a public IP address space to VNet1.E. Delete GW1.F. Create a route-based virtual network gateway.

Answer: EFExplanation:E: Policy-based VPN devices use the combinations of prefixes from both networks to define how traffic is encrypted/decrypted through IPsec tunnels. It is typically built on firewall devices that perform packet filtering. IPsec tunnel encryption and decryption are added to the packet filtering and processing engine.F: A VPN gateway is used when creating a VPN connection to your on-premises network.Route-based VPN devices use any-to-any (wildcard) traffic selectors, and let routing/forwarding tables direct traffic to different IPsec tunnels. It is typically built on router platforms where each IPsec tunnel is modeled as a network interface or VTI (virtual tunnel interface).Incorrect Answers:D: Point-to-Site connections do not require a VPN device or a public-facing IP address.References:https://docs.microsoft.com/en-us/azure/vpn-gateway/create-routebased-vpn-gateway-portalhttps://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-connect-multiple-policybased-rm-ps